dolibarr

v23.0.3 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 17d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

accounting agenda crm erp human-resource-managment invoice

+13 more

invoices invoicing mysql orders php postgresql proposal purchase quotations sales stock stocks suppliers

Affected surfaces

auth rbac rce_ssrf

ReleasePort's take

Light signal

editorial:auto 13d

Dolibarr 23.0.3 resolves IDOR, SSRF, and SQL injection vulnerabilities across multiple surfaces.

Why it matters: Patch to 23.0.3 immediately to remediate critical security issues affecting API endpoints, messaging, file manager permissions, AI module calls, contract service queries, and website header sanitization.

Summary

AI summary

Fixes IDOR, SSRF, and SQL injection vulnerabilities.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Fix IDOR vulnerability on messaging.php endpoint Fix IDOR vulnerability on messaging.php endpoint Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Security	High	Add permission check to legacy file manager access Add permission check to legacy file manager access Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Security	High	Mitigate SSRF risk in AI module usage Mitigate SSRF risk in AI module usage Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Security	Medium	Improve sanitization of GETPOST data for htmlheader in website pages Improve sanitization of GETPOST data for htmlheader in website pages Source: granite4.1:30b@2026-05-21-audit Confidence: high	—
Security	Medium	IDOR fix on messaging.php - Credit Aksoum Abderrahmane IDOR fix on messaging.php - Credit Aksoum Abderrahmane Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Add permission test on legacy filemanager - Credit Aksoum Abderrahmane Add permission test on legacy filemanager - Credit Aksoum Abderrahmane Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Prevent AI module from making SSRF call - Credit Dilip Prevent AI module from making SSRF call - Credit Dilip Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Better sanitization for GETPOST of htmlheader of website page Better sanitization for GETPOST of htmlheader of website page Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Prevent param from end user entry Prevent param from end user entry Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Security	Medium	Fix SQL Injection via Operator Injection in Contract Service List Fix SQL Injection via Operator Injection in Contract Service List Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Breaking	Medium	Broken feature with API auth and Multicompany transverse mode fixed Broken feature with API auth and Multicompany transverse mode fixed Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Limit standard on price list (#37944) Limit standard on price list (#37944) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Propagate fk_warehouse from BOM/MO to production lines in createProduction() and processBOM() (#38147) Propagate fk_warehouse from BOM/MO to production lines in createProduction() and processBOM() (#38147) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Set default warehouse on order creation (#37815) Set default warehouse on order creation (#37815) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Feature	Medium	Use company default RIB when defined (#38016) Use company default RIB when defined (#38016) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fix issue #36589 Fix issue #36589 Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix accounting account cache silent reference mutation Fix accounting account cache silent reference mutation Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Avoid error when deleting a category Avoid error when deleting a category Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Avoid PostgreSQL error (#37865) Avoid PostgreSQL error (#37865) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix missing table 'llx_categorie_project_task' reference (#37861) Fix missing table 'llx_categorie_project_task' reference (#37861) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Do not print Extrafields in PDF if printable is 0 (#37789) Do not print Extrafields in PDF if printable is 0 (#37789) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Prevent draft invoice from being paid when adding absolute discount equal to remaining amount (#38104) Prevent draft invoice from being paid when adding absolute discount equal to remaining amount (#38104) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix extrafield selectlist issue with linked table (#37706) Fix extrafield selectlist issue with linked table (#37706) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Preserve default_vat_code and tva_npr when auto-creating initial product_price row (#38034) Preserve default_vat_code and tva_npr when auto-creating initial product_price row (#38034) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix selected default value issue on select_produits_fournisseurs_list() Fix selected default value issue on select_produits_fournisseurs_list() Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix wrong foreign key REFERENCES for fk_project_task (#37874) Fix wrong foreign key REFERENCES for fk_project_task (#37874) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Prevent cross-customer object creation on API (proposal, orders) - Credit Mitch311 Prevent cross-customer object creation on API (proposal, orders) - Credit Mitch311 Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Add site root to $backtopage (#37804) Add site root to $backtopage (#37804) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Low	Include site root in $backtopage variable for navigation Include site root in $backtopage variable for navigation Source: granite4.1:30b@2026-05-21-audit Confidence: low	—

Full changelog

***** ChangeLog for 23.0.3 compared to 23.0.2 *****

FIX: #36589 (#38037)
FIX: #37552 (#38073)
FIX: #37649 (#38101)
FIX: #37759
FIX: #37760
FIX: #37761
FIX: #37762
FIX: #37805
FIX: #38074 (#38075)
FIX: #38131 (#38140)
FIX: Accountancy - Select journal - Problem with the label (#37979)
FIX: AccountingAccount cache — silent reference mutation in accounting journals (#37981)
FIX: a param must not come from end user entry.
FIX: api create invoice. Do not allow a user limited as sale
FIX: avoid error when deleting a category (#37864)
FIX: avoid error with postgresql (#37865)
FIX: avoid Table 'llx_categorie_project_task' doesn't exist (#37861)
FIX: broken feature with api auth and Multicompany transverse mode (#37868)
FIX: do not print Extrafields in PDF if printable is 0 (#37789)
FIX: draft invoice paid when add absolute discount == remain to pay (#38104)
FIX: extrafield selectlist when there is a linked table (#37706)
FIX: Limit standard on price list (#37944)
FIX: missing "blob:" in the assistant for CSP editor.
FIX: option MEMBER_SEARCH_MEMBER_PUBLIC_FORM_CREATE
FIX: product price.php: preserve default_vat_code and tva_npr when auto-creating initial product_price row (#38034)
FIX: propagate fk_warehouse from BOM/MO to production lines in createProduction() and processBOM() (#38147)
FIX: selected default value ko on select_produits_fournisseurs_list()
FIX: Set default warehouse on order create. (#37815)
FIX: Site root missing in $backtopage. (#37804)
FIX: use company default RIB when it is defined (#38016)
FIX: wrong "REFERENCES" for foreign key of fk_project_task (report this fix in 23 to 24) (#37874)
FIX: IDOR on messaging.php - Credit Aksoum Abderrahmane
FIX: Some remaining cross-customer object creation on API (proposal, orders) - Credit Mitch311
FIX: add permission test on legacy filemanager - Credit Aksoum Abderrahmane
FIX: Can use AI module to make SSRF call. Credit Dilip
FIX: #GHSA-crgg-h74r-2m8r (#37636)
FIX: #GHSA-hq5j-39f9-qxcv (#37812)
FIX: SQL Injection via Operator Injection in Contract Service List
SEC: Better sanitization param for GETPOST of htmlheader of website page - See commit bbbbb56c6455514dcd0acca53afc17a92ed21bb9

Security Fixes

IDOR on messaging.php – Credit Aksoum Abderrahmane
SSRF via AI module – Credit Dilip
SQL Injection via Operator Injection in Contract Service List

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track dolibarr

Get notified when new releases ship.

About dolibarr

Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.

dolibarr

ReleasePort's take

Summary

Changes in this release

Security Fixes

Related context

Related tools

Featured in